Learn how to dispose of sensitive data securely.

Ryan Marshall, SecurityMetrics,
By: Ryan Marshall
HIPAA Fulfillment Manager
Did you know hackers can often find data that you’ve “deleted,” and exploit it?

 Not properly deleting data on devices can lead to a serious breach. For example, an organization returned a leased photocopier that had medical info on 344,579 patients. By returning the device that still had sensitive data, the organization was in violation of HIPAA and was fined 1.2 million.

A common mistake many organizations make is to simply delete the data on a drive and leave it at that. Unfortunately, erasing media only removes a link to the data, and the data remains on the drive. To protect your PHI, you need to permanently delete old sensitive data.

One of the biggest problems with secure data deletion is knowing what data to destroy, when to destroy, and who’s in charge of it. It may be easy If it’s not necessary, get rid of it.

SEE ALSO: PIIscan: Find and Secure Unencrypted Personal Data
Here are some things to remember when it comes to permanently deleting PHI.
SEE ALSO: How to Permanently Delete Files with Sensitive Data

Determine the life cycle of data

secure data deletionThe first step to managing/deleting old data is to decide how long the data needs to be kept and when it should be deleted.

Your organization should establish a data lifecycle for all types of data you store. Some parameters should include:
  • How long data should be stored for regulatory purposes
  • How long you need the data
The mandate for healthcare data is that you only need to keep the data for at least 6 years. If you keep data after 6 years, you'll need to continue protecting it for as long as the data is kept, up to 50 years after the patient has died.

Remember that part of data retention is not just about sensitive data; you have also different types of data, like logs, that should be determined how long they should be kept.

Keep in mind that if you delete certain data too soon, you may not have the records to go back and investigate a potential breach. It's a good idea to keep incident logs for a year and have logs within 3 months easy to access for analysis.

Know secure deletion techniques

Permanently deleting data may require a few different techniques, depending on how you want it done and whether you want to reuse the media where the data is stored. Here are a few techniques to securely delete your data.

permanently deleting PHIOverriding data runs over the data with a sequence of 1’s (some methods use a different set of binary sequences to ensure all the data has been overwritten). There still could be some type of recoverable data on the media, so this method may not be the most secure.

This method is useful if you have magnet tapes and hard drives. Degaussing uses a powerful magnet to erase data on magnetic media. This method is particularly helpful if you want to reuse the media.

Physical destruction
This is one of the most secure methods to permanently delete data. If you don’t plan to use the media again, it’s highly recommended you physically destroy it. You can go to companies that have industrial-sized shredders to dispose of larger hardware.

Some types of media require physical destruction for secure data deletion. Solid state drives (SSD) and optical media like DVDs and CDs generally must be destroyed physically.

Note: some SSDs include a built-in erase commands that “sanitize,” but they haven’t been proven to be as effective. You can use it, but it’s a risk.

Don’t forget about data on mobile devices

With stored data, one of the bigger threats is theft of the physical device. Managing data on mobile
devices is a bit tricky since they can more easily be lost or stolen.  If your organization stores a lot of PHI on mobile devices, it may be a good idea to use mobile management device software to control the data.

For example, remote wipe is a software that makes sure the data is removed remotely, should a device get lost/stolen. Some remote wipes will override or purge the data, while others will wipe out the encryption keys that makes the keys useless. I recommend that you use a mobile device management software that uses remote wipe, so the management of data is centralized.

SEE ALSO: 5 Tips to HIPAA Compliant Mobile Devices

Additional tips

Here are some more tips to ensure secure data deletion:
  • Go through and delete data at least annually: depending on how much data you process, you may want to do it more often
  • Set someone in charge of data disposal: have someone who knows the lifecycle of data, the policies behind deletion and how it’s managed
  • Set up policies: document the process for secure data deletion, what should be done, when it should be done, and who’s responsible for it
  • Train employees: make sure your employees are aware of the policies behind data deletion
Need help with HIPAA compliance? Talk to us!

Ryan Marshall (HCISPP) is the HIPAA Fulfillment Manager at SecurityMetrics. He has worked in data security for eight years, and specialized in HIPAA, healthcare reliance, and HIPAA regulations for three years.

SecurityMetrics Guide to HIPAA Compliance